CVE-2026-5641 - Vulnerability Details

- PHPGurukul Online Shopping Portal Project Parameter update-image1.php sql injection

Description

A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.

Published: 2026-04-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in the /admin/update-image1.php file of the PHPGurukul Online Shopping Portal Project. An attacker can manipulate the filename parameter to inject arbitrary SQL code. This flaw is a classic SQL injection (CWE-74 and CWE-89) that could allow an attacker to read or modify database records, potentially compromising confidentiality, integrity, or availability of the application’s data.

Affected Systems

The affected product is PHPGurukul Online Shopping Portal Project version 2.1. The issue resides in the Parameter Handler component of the admin interface. No other versions are explicitly listed as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 classifies this vulnerability as medium risk, and the lack of EPSS data means the exact likelihood of exploitation is uncertain. The description indicates that the attack can be performed remotely, likely by sending a crafted request to the filename argument of /admin/update-image1.php. While the exploit is publicly available, its effective use requires access to the admin endpoint, which could be privileged or protected by authentication. The overall risk is moderate, with potential for significant data compromise if the vulnerability is exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PHPGurukul

Online Shopping Portal Project

affected

Version	Status	Constraints
`2.1`	affected	—

No data.

Vendor Product Confidence Versions

Phpgurukul

Online Shopping Portal Project

95%

Version	Status	Scheme	Platform
`2.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an available patch or upgrade to the latest version of the PHPGurukul Online Shopping Portal Project that resolves the SQL injection issue.
Restrict access to /admin/update-image1.php to authorized administrators only, using authentication or firewall rules.
Validate and sanitize the filename parameter server-side to prevent injection.
Monitor logs for suspicious activity on the /admin/update-image1.php endpoint.
Limit database permissions for the application to reduce the impact of any injection.

Generated by OpenCVE AI on April 6, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/f1rstb100d/CVE/issues/19
https://phpgurukul.com/
https://vuldb.com/submit/785993
https://vuldb.com/vuln/355429
https://vuldb.com/vuln/355429/cti

History

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
Title		PHPGurukul Online Shopping Portal Project Parameter update-image1.php sql injection
First Time appeared		Phpgurukul Phpgurukul online Shopping Portal Project
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:phpgurukul:online_shopping_portal_project::::::::
Vendors & Products		Phpgurukul Phpgurukul online Shopping Portal Project
References		https://github.com/f1rstb100d/CVE/issues/19 https://phpgurukul.com/ https://vuldb.com/submit/785993 https://vuldb.com/vuln/355429 https://vuldb.com/vuln/355429/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Phpgurukul Online Shopping Portal Project

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-06T09:15:11.825Z

Updated: 2026-04-06T14:49:24.340Z

Reserved: 2026-04-05T20:31:06.845Z

Link: CVE-2026-5641

Vulnrichment

Updated: 2026-04-06T14:33:47.247Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T10:16:02.297

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5641

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:33:01Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object